Federal agency leaders fall behind hackers in security expertise

Federal systems and network security managers who often lack adequate training for
their jobs are finding it nearly impossible to fight numerous and increasingly
sophisticated cyberattacks.


The Defense Department sounded a wake-up call last year during its Eligible Receiver 97
exercise. Before DOD network managers were out of their beds one Monday morning, they were
hit with the news that several DOD systems had been maliciously hacked into the night
before, and the security of data on weapons systems, personnel and troop movements had
been compromised. Simultaneous attacks had taken out international telecommunications
networks and power systems.


When word came that it was only a test, the relief was palpable.


“In terms of systems insecurity, an attack like that would be a total
nightmare—the kind of thing you never want to see in real life,” Jim Christy, a
DOD computer crime investigator, said. “Your mind starts running down alleys looking
for an answer, and you realize that the range of the hacker profile is vast, that you
could be looking for evidence from a foreign intelligence agency or a terrorist, an
industrial competitor or just a disgruntled employee.”


Before the early 1990s, such security problems did not exist, Christy said, because
dedicated systems ran on mainframes or discrete Unix networks.


“Looking back, it seems that the government’s transition to using
off-the-shelf parts was inevitable,” he said.


But the less costly, commercial systems are a two-edged sword. “Once we began to
use them, the tools and methods for breaking into our systems increased,” Christy
said. “By using commercial parts, our security became less of a secret.”


Federal security mavens are fighting back. The Justice Department and the FBI in
February established the National Infrastructure Protection Center at FBI headquarters as
a clearinghouse for security incidents, in government and in the private sector.


NIPC has 125 security experts from the National Security Agency, CIA, FBI and other
agencies. When a cyberattack occurs, the center’s security team acts fast to collect
information on the attack from the affected agency, usually from the systems
administrator. Amassing cyberattack data is only one part of NIPC’s multipronged plan
to help agencies prevent attacks.


“We are not the nation’s super-systems administrators or security officer,
responsible for securing everyone’s infrastructure or system against intruders or
advising on the latest security software or patches to fix vulnerabilities,” said
Michael A. Vatis, NIPC chief and an FBI deputy assistant director.


“That role must be filled by systems administrators in each company, by chief
information officers in government agencies and by industry groups and other
entities,” he said.


Because agency systems administrators have the most knowledge about their networks,
they are best suited to oversee security, agreed Mark A. Boster, deputy assistant attorney
general for IRM. And stronger security is a vital part of the overarching systems
architecture the Information Technology Management Reform Act requires agencies to build,
he said.


The Environmental Protection Agency holds a similar view, said Jerry Slaymaker, senior
adviser to EPA CIO Alvin Pesachowitz.


“For some time at EPA we’ve held the point of view that it is wise to involve
the systems administrators with security,” Slaymaker said. “They’re the
ones familiar with the needs of the workers and the capabilities of the systems.”


Boster, who is also chairman of the CIO Council’s Security Committee, added,
“What we’re finding is that the systems administrators are often people with
intimate knowledge of the system and are therefore uniquely qualified to deal with system
penetration and security.”


But therein lies a problem, he said.


In agencies the first line of defense has been sysadmins, Boster said. But federal
sysadmins have not been trained in security. Many are former clerical staff members who
showed an aptitude for computers, he said.


Their duties might include loading new software, system maintenance and other mundane
operations. Security duties may be more of a burden than they can handle, Boster said.


“They’re already working very hard just to maintain their network, so when
additional duties are assigned, managers will need to find a creative way to add the
additional burden of security and education,” he said.


The stakes are high and not just in training. Spending on network security worldwide
will edge toward $2 billion this year and is expected to jump to nearly $3 billion next
year.


The quest for security demands a balanced approach, said Alan Paller, director of
research for the Sans Institute Inc., a security research organization in Bethesda, Md.


“What is really important is not to invest all of your money at once because this
stuff is constantly getting cheaper and changing all of the time,” Paller said. 

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above